J 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 




@ Publication number : 0 532 227 A2 



EUROPEAN PATENT APPLICATION 



21) Application number : 92307999.0 

22) Date of filing : 03.09.92 



© int. ci. 5 : H04L9/32 



(30) Priority : 13.09.91 US 759314 

@ Date of publication of application : 
17.03.93 Bulletin 93/11 



(84) Designated Contracting States : 
DE FR GB SE 



@ Applicant : AMERICAN TELEPHONE AND 
TELEGRAPH COMPANY 
32 Avenue of the Americas 
New York, NY 10013-2412 (US) 



(72) Inventor : Reeds III, James Alexander 
127 Southgate Road 

New Providence, New Jersey 07974 (US) 

Inventor: Treventi, Philip Andrew 

15 Candlewood Drive 

Murray Hill, New Jersey 07974 (US) 

Inventor : Yu, l-Hsiang 

9 Hickory Place 

Cedar Knolls, New Jersey 07927 (US) 

@ Representative : Buckley, Christopher Simon 
Thirsk et al 

AT & T (UK) LTD. 5 Mornington Road 
Woodford Green, Essex IG8 OTU (GB) 



(54) Cellular telephony authentication arrangement. 

(57) A secure cellular telephony arrangement 
where the mobile unit maintains a secret that is 
assigned to it by the service provider, and which 
is known to the provider (home cellular 
geographic service are -- CGSA) but not to any 
other base station. A shared secret datum is 
generated by the home CGSA with the aid of the 
secret and some other data. That data is trans- 
mitted to the mobile unit to enable it to also 
generate the shared secret datum. A mobile unit 
wishing to communicate with a base station 
creates an authentication string with the aid of 
the shared secret datum and sends it and the 
unit's identity to the base station. A base station 
which does not have the shared secret datum is 
unable to immediately authenticate the mobile 
unit. It therefore contacts the home CGSA, re- 
ceives the shared secret datum and the other 
data, and proceeds to authenticate the mobile 
unit's authentication string. With the infor- 
mation received from the home CGSA the base 
Csl station can direct the mobile unit to regenerate 
^ the shared secret datum or even create a new 
one. 

CM 
CM 

CM 
CO 

to 



CL 
US 



Jouve, 18, rue Saint-Denis, 75001 PARIS 



1 



EP 0 532 227 A2 



2 



Background of the Invention 

This invention relates to authentication protocols 
and more particularly to protocols for insuring validity 
of communicating radio-tele phones and the like. 

In conventional telephony each telephone set 
(fax unit, modem, etc) is physically connected to a 
unique port on a switch at a local central office. The 
connection is through a dedicated wire, or through a 
designated channel on a dedicated wire. The wire 
connection is installed by the service provider (who, 
typically, is the common carrier) and, therefore, the 
service provider can be reasonably sure that trans- 
mission on the channel arrives from the subscriber. 
By comparison, authentication of a subscriber in wire- 
less telephony is less certain. 

Under the current cellular telephony arrange- 
ment in the United States, when a cellular telephone 
subscriber places a call, his or her cellular telephone 
indicates to the service provider the identity of the 
caller for billing purposes. This information is not en- 
crypted. If an interloper eavesdrops at the right time, 
he orshe can obtain the subscriber's identification in- 
formation. This includes the subscriber's phone num- 
ber and the electronic serial number (ESN) of the sub- 
scriber's equipment. Thereafter, the interloper can 
program his or her cellular telephone to impersonate 
that bona fide subscriber to fraudulently obtain ser- 
vices. Alternately, an interloper can inject himself into 
an established connection, overpower the customer's 
cellular telephone equipment by transmitting more 
power, and redirect the call to his or her purposes by 
sending certain control codes to the service provider. 
Basically, such piracy will succeed because the ser- 
vice provider has no mechanism for independently 
authenticating the identity of the caller at the time the 
connection is established and/or while the connection 
is active. 

Technology is available to permit an eavesdrop- 
per to automatically scan all of the cellular frequen- 
cies in a given cell for such identification information. 
Consequently, piracy of cell u la r tele phone services is 
rampant. Also, the lack of enciphering of the speech 
signals lays bare to eavesdroppers the content of 
conversations. In short, there is a clear and present 
need for effective security measures in the cellular 
telephony art, and that suggests the use of cryptolo- 
gy for the purposes of ensuring authentication and 
privacy. 

Several standard cryptographic methods exist for 
solving the general sort of authentication problem 
that exists in cellular telephony, but each turns out to 
have practical problems. First, a classical chal- 
lenge/response protocol may be used, based on a pri- 
vate key cryptographic algorithm. In this approach, a 
subscriber's mobile station is issued with a secret key 
which also known by the home system. When a serv- 
ing system wishes to authenticate a subscriber, it ap- 



plies to the home system for a challenge and a re- 
sponse to use with the given subscriber. The home 
system composes a random challenge and applies a 
one-way function to the challenge concatenated with 

5 the subscribers key to obtain the corresponding re- 
sponse. The challenge and response are supplied to 
the serving system, which issues the challenge to the 
mobile station. The mobile station in turn replies with 
the response, which it calculates from the challenge 

10 and from its stored secret key. The serving system 
compares the responses supplied by the home sys- 
tem and by the mobile station, and if they match, the 
mobile station is deemed authentic. 

The problem with this approach is that often the 

15 serving system is unable to contact the home system 
quickly enough to allow authentication of a call setup, 
or that the database software on the home system is 
unable to look up the subscriber's secret key and 
compose the challenge/ response pair quickly 

20 enough. Network or software delays of a second or 
two would add that much dead time till the subscriber 
hears a dial tone after picking up the handset when 
placing a call, and longer delays (given the control 
networks and switching apparatus currently used by 

25 cellular providers) would be common. In the present 
milieu, such delays are unacceptable. 

Public key cryptography provides another stan- 
dard class of ways for solving authentication prob- 
lems. Generally speaking, each mobile station would 

30 be provided with a "public key certificate" of identity, 
signed by the public key of the service provider, stat- 
ing that the mobile station is a legitimate customer of 
the service provider. In addition, each mobile would 
also be given secret data (private keys) which it can 

35 use, together with the certificate, to prove to third 
parties (such as the serving system) that it is a legit- 
imate customer. 

For example, service provider could have a pair 
of RSA keys, (F,G), with F private and G public. The 

40 service provider could supply each mobile with its 
own pair (D,E) of RSA keys, together with F(E) (the 
encryption of the mobile's public key E using the pro- 
vider's private key F). Then a mobile asserts its iden- 
tity by sending (E,F(E)) to the serving system. The 

45 serving system applies G to F(E) to obtain E. The 
serving system generates a challenge X, encrypts it 
with the mobile's public key E to obtain E(X) which it 
sends to the mobile. The mobile applies its private key 
D to E(X) to obtain X, which it sends back to the server 

so in the clear as a response. 

Although some variations on this theme involve 
less computation or data transmission than others, no 
public key authentication scheme yet exists which is 
efficiently executable in less than a second's time on 

55 the sort of hardware currently used in cellular tele- 
phones. Even though network connectivity between 
the serving and home systems is not needed at the 
moment of authentication, as it is in the classical ap- 



2 



3 



EP 0 532 227 A2 



4 



proach, the same time constraints which rule out the 
classical approach also rule out the public key ap- 
proach. 

Anothertechnique is proposed by R.M Needham 
and M.D. Schroeder in Using Encryption for Authen- 
tication in Large Computer Networks , Comm. of the 
ACM, Vol. 21, No. 12, 993-999 (Dec. 1978). In brief, 
the Needham-Schroeder technique requires that a 
third, trusted, party (AS) should serve as an authen- 
tication server which distributes session keys to the 
prospective parties (A and B) who are attempting to 
establish secure communications. The protocol is as 
follows: when party A wishes to communicate with 
party B, it sends to authentication server AS his own 
name, the name of party B and a transaction identi- 
fier. Server AS returns the name of party B, a session 
key, the transaction identifier and a message en- 
crypted with B's key. All that information is encrypted 
with As key. Party A receives the information, de- 
crypts it, selects the portion that is encrypted with B's 
key and forwards that portion to party B. Party B de- 
crypts the received messages and find it the name of 
party A and the session key. A last check (to prevent 
"replays") is made by party B issuing a challenge to 
party A and party A replies, using the session key. A 
match found at party B authenticates the identity of 
party A. 

Summary of the Invention 

The security needs of cellular telephony are met 
with an arrangement that depends on a shared secret 
data field. The mobile unit maintains a secret that is 
assigned to it by the service provider, and generates 
a shared secret data field from that secret. The ser- 
vice provider also generates the shared secret data 
field. When a mobile unit enters the cell of a base sta- 
tion, it identifies itself to the base station, and sup- 
plies to the base station a hashed authentication 
string. The base station consults with the provider, 
and if it is determined that the mobile unit is a bona 
fide unit, the provider supplies the base station with 
the shared secret data field. Thereafter the mobile 
unit communicates with the base station with the as- 
sistance of authentication processes that are carried 
out between the mobile unit and the base station, us- 
ing the shared secret data field. 

One feature of this arrangement is that the vari- 
ous base stations do not have access to the secret 
that was installed in the mobile unit by the provider. 
Only the base stations which successfully interacted 
with the mobile unit have the shared secret data field; 
and that number can be limited by the provider simply 
by directing the mobile unit to create a newshared se- 
cret data field. 

Another feature of this arrangement is that the 
more time consuming authentication process that 
utilizes the secret, which takes place only through in- 



volvement of the provider, occurs only infrequently, 
when a mobile unit first enters the cell (or when it is 
suspected that the shared secret data field has been 
compromised). 
5 Call originations, call terminations, and other 

functions are authenticated using essentially the 
same authentication protocol and the same hashing 
function. The few differences manifest themselves in 
the information that is hashed. 

10 

Brief Description of the Drawing 

FIG. 1 illustrates an arrangement of network pro- 
viders and cellular radio providers interconnected 
15 for service to both stationary and mobile tele- 

phones and the like; 

FIG. 2 depicts the process for directing the crea- 
tion of a shared secret data field and the verifi- 
cation of same; 

20 FIG. 3 depicts the registration process in a visited 

base station, for example, when the mobile unit 
first enters the cell serviced by the base station; 
FIG. 4 shows the elements that are concatenated 
and hashed to create the shared secret data; 

25 FIG. 5 shows the elements that are concatenated 

and hashed to create the verification sequence; 
FIG. 6 shows the elements that are concatenated 
and hashed to create the registration sequence 
when the mobile unit goes on the air; 

30 FIG. 7 shows the elements that are concatenated 

and hashed to create the call initiation sequence; 
FIG. 8 depicts the speech encryption and de- 
cryption process in a mobile unit; 
FIG. 9 shows the elements that are concatenated 

35 and hashed to create the re-authentication se- 

quence; 

FIG. 10 illustrates the three stage process for en- 
crypting and decrypting selected control and 
data messages; and 
40 FIG. 11 presents a block diagram of a mobile 

unit's hardware. 

Detailed Description 

45 In a mobile cellular telephone arrangement there 

are many mobile telephones, a much smaller number 
of cellular radio providers (with each provider having 
one or more base stations) and one or more switching 
network providers (common carriers). The cellular ra- 

50 dio providers and the common carriers combine to al- 
low a cellular telephone subscriber to communicate 
with both cellular and non-cellular teleph one sub- 
scribers.This arrangement is depicted diagrammati- 
cally in FIG. 1 , where common carrier I and common 

55 carrier II combine to form a switching network com- 
prising switches 10-14. Stationary units 20 and 21 are 
connected to switch 10, mobile units 22 and 23 are 
free to roam, and base stations 30-40 are connected 



3 



5 



EP 0 532 227 A2 



6 



to switches 10-14. Base stations 30-34 belong to pro- 
vider 1 , base stations 35 and 36 belong to provider 2, 
base station 37 belongs to provider 4, and base sta- 
tions 38-40 belong to provider 3. For purposes of this 
disclosure, a base station is synonymous with a cell 
wherein one or more transmitters are found. A collec- 
tion of cells makes up a cellular geographic service 
area (CGSA) such as, for example, base stations 30, 
31, and 32 in FIG. 1. 

Each mobile unit has an electronic serial number 
(ESN) that is unique to that unit. The ESN number is 
installed in the unit by the manufacturer, at the time 
the unit is built (for example, in a read-only-memory ), 
and it is unalterable. It is accessible, however. 

When a customer desires to establish a service 
account for a mobile unit that the customer owns or 
leases, the service provider assigns to the customer 
a phone number (MINI designation), an area code 
designation (MIN2 designation) and a "secret" (A- 
key). The MINI and MIN2 designations are associat- 
ed with a given CGSA of the providerand all base sta- 
tions in the FIG. 1 arrangement can identify the 
CGSA to which a particular MIN2 and MINI pair be- 
longs. The A-key is known only to the customer's 
equipment and to the provider's CGSA processor (not 
explicitly shown in FIG. 1). The CGSA processor 
maintains the unit's ESN, A-key, MINI and MIN2 des- 
ignations and whatever other information the service 
provider may wish to have. 

With the MINI and the MIN2 designations and 
the A-key installed, the customer's unit is initialized 
for service when the CGSA processor sends to the 
mobile unit a special random sequence (RANDSSD), 
and a directive to create a "shared secret data" (SSD) 
field. The CGSA sends the RANDSSD, and the SSD 
field generation directive, through the base station of 
the cell where the mobile unit is present. Creation of 
the SSD field follows the protocol described in FIG. 
2. 

As an aside, in the FIG. 1 arrangement each base 
station broadcasts information to all units within its 
cell on some preassigned frequency channel (broad- 
cast band). In addition, it maintains two way commu- 
nications with each mobile unit over a mutually 
agreed, (temporarily) dedicated, channel. The man- 
ner by which the base station and the mobile unit 
agree on the communications channel is unimportant 
to this invention, and hence it is not described in detail 
herein. One approach may be, for example, for the 
mobile unit to scan all channels and select an empty 
one. It would then send to the base station its MIN2 
and MINI designations (either in plaintext form or en- 
ciphered with a public key), permitting the base sta- 
tion to initiate an authentication process. Once au- 
thenticated communication is established, if neces- 
sary, the base station can direct the mobile station to 
switch to another channel. 

As described in greater detail hereinafter, in the 



course of establishing and maintaining a call on a mo- 
bile telephony system of this invention, an authenti- 
cation process may be carried out a number of times 
throughout the conversation. Therefore, the authen- 
5 tication process employed should be relatively se- 
cure and simple to implement. To simplify the design 
and lower the implementation cost, both the mobile 
unit and the base station should use the same proc- 
ess. 

10 Many authentication processes use a hashing 

function, or a one-way function, to implement the 
processes. A hashing function performs a many- to- 
one mapping which converts a "secret" to a signature. 
The following describes one hashing function that is 

15 simple, fast, effective, and flexible. It is quite suitable 
for t he au t hent icat ion processes of t h is invention but, 
of course, other hashing functions can be used. 

The Jumble Process 

20 

The Jumble process can create a "signature" of 
a block of d "secret" data words b(i), with the aid of a 
k-word key x(j), where d, i, j, and k are integers. The 
"signature" creation process is carried out on one 
25 data word at a time. For purposes of this description, 
the words on which the Jumble process operates are 
8 bits long (providing a range from 0 to 255, inclusive), 
but any other word size can be employed. The "se- 
cret" data block length is incorporated in the saw 
30 tooth function 

s d (t) = t for 0 ^ t ^ d - 1 
s d (t) = 2d - 2 - t for d ^ t ^ 2d - 3, and 
s d (t) = s d (t + 2d - 2) for all t. 
This function is used in the following process where, 
35 starting with z= 0 and i= 0, for successively increasing 
integer values of i in the range 0 ^ 6d - 5, 

a) b (s d (i)) is updated by: 

b(s d (i)) = b(s d (i)) + x(i k ) + SBOX(z) mod 256 
where 

40 * i k is i modulo k, SBOX(z) = y+ [y/2048] mod 

256, 

*y = (ze 16)(z+ 111 )(z), 
* [y/2048] is the integer portion of y divided by 
2048, and © represents the bit-wise Exclu- 
45 sive-OR function; and 

b) z is updated with: z= z+ b(s d (i)) mod 256. 

It may be appreciated that in the process just de- 
scribed there is no real distinction between the data 
and the key. Therefore, any string that is used for au- 

50 thentication can have a portion thereof used as a key 
for the above process. Conversely, the data words 
concatenated with the key can be considered to be 
the "authentication string". It may also be noted that 
each word b(i), where 0 ^ i< d is hashed individually, 

55 one at a time, which makes the hashing "in place". No 
additional buffers are needed for the hashing process 
per se. 

The process just described can be easily carried 



4 



7 



EP 0 532 227 A2 



8 



out with a very basic conventional processor, since 
the only operations required are: shifting (to perform 
the division by 2048), truncation (to perform the [ ] 
function and the mod 256 function), addition, multipli- 
cation, and bit-wise Exclusive-OR functions. 

Returning to the SSD field initialization process 
of FIG. 2, when a RANDSSD sequence and the direc- 
tive to create a new SSD field (arrow 100 in FIG. 2) 
are received by the mobile station, a new SSD field 
is generated in accordance with FIG. 4. The mobile 
unit concatenates the ESN designation, the A-key, 
and the RANDSSD sequence to form an authentica- 
tion string. The authentication string is applied to 
Jumble block 101 (described above) which outputs 
the SSD field. The SSD field comprises two sub- 
fields: the SSD-A subfield which is used to support 
authentication procedures, and the SSD-B subfield 
which is used to support voice privacy procedures 
and encryption of some signaling messages (descri- 
bed below). It may be noted that a larger number of 
SSD subfields can be created; either by subdividing 
the SSD field formed as described above or by first 
enlarging the SSD field. To increase the number of 
bits in the SSD field one needs only to start with a 
larger numberof data bits. As will be appreciated from 
the disclosure below, that is not a challenging require- 
ment. 

The home CGSA processor knows the ESN and 
the A-key of the mobile unit to which the received 
MIN2 and MINI designations were assigned. It also 
knows the RANDSSD sequence that it sent. There- 
fore, the home CGSA processor is in position to du- 
plicate the SSD field creation process of the mobile 
unit. By concatenating the RANDSSD signal with the 
ESN designation and the A-key, and with the above- 
described Jumble process, the CGSA processor cre- 
ates a new SSD field and partitions it into SSD-A and 
SSD-B subfields. However, the SSD field created in 
the home CGSA processor must be verified. 

In accordance with FIG. 2, verification of the cre- 
ated SSD field is initiated by the mobile unit. The mo- 
bile unit generates a challenge random sequence 
(RAN DBS sequence) in block 102 and sends it to the 
home CGSA processor through the serving base sta- 
tion (the base station that serves the area in which 
the mobile unit is located). In accordance with FIG. 5, 
the home CGSA processor concatenates the chal- 
lenge RANDBS sequence, the ESN of the mobile 
unit, the MINI designation of the mobile unit, and the 
newly created SSD-A to form an authentication string 
which is applied to the Jumble process. In this in- 
stance, the Jumble process creates a hashed authen- 
tication signal AUTHBS which is sent to the mobile 
station. The mobile station also combines the 
RANDBS sequence, its ESN designation, its MINI 
designation and the newly created SSD-A to form an 
authentication string that is applied to the Jumble 
process. The mobile station compares the result of its 



Jumble process to the hashed authentication signal 
(AUTHBS) received from the home CGSA processor. 
If the comparison step (block 104) indicates a match, 
the mobile station sends a confirmation message to 
5 the home CGSA processor indicating the success of 
the update in the SSD field. Otherwise, the mobile 
station reports on the failure of the match compari- 
son. 

Having initialized the mobile station, the SSD 

10 field remains in force until the home CGSA processor 
directs the creation of a new SSD field. That can oc- 
cur, for example, if there is reason to believe that the 
SSD field has been compromised. At such a time, the 
home CGSA processor sends another RANDSSD se- 

15 quence to the mobile unit, and a directive to create a 
new SSD field. 

As mentioned above, in cellular telephony each 
base station broadcasts various informational signals 
for the benefit of all of the mobile units in its cell. In 

20 accordance with FIG. 1 management, one of the sig- 
nals broadcast by the base station is a random or 
pseudorandom sequence (RAND sequence). The 
RAND sequence is used by various authentication 
processes to randomize the signals that are created 

25 and sent by the mobile units. Of course, the RAND se- 
quence must be changed periodically to prevent re- 
cord/playback attacks. One approach for selecting 
the latency period of a RAND signal is to make it 
smallerthan the expected duration of an average call. 

30 Consequently, a mobile unit, in general, is caused to 
use different RAND signals on successive calls. 

In accordance with one aspect of this invention, 
as soon as the mobile unit detects that it enters a cell 
it registers itself with the base unit so that it can be 

35 authenticated. Only when a mobile unit is authenti- 
cated can it initiate calls, or have the base station di- 
rect calls to it. 

When the mobile unit begins the registration 
process it accepts the RAND sequence broadcast by 

40 the base station and, in turn, it sends to the serving 
base station its MINI and MIN2 designations and its 
ESN sequence (in plaintext) as well as a hashed au- 
thentication string. According to FIG. 6, the hashed 
authentication string is derived by concatenating the 

45 RAND sequence, the ESN sequence, the MINI des- 
ignation and the SSD-A subfield to form an authen- 
tication string; and applying the authentication string 
to the Jumble process. The hashed authentication 
string at the output of the Jumble process is sent to 

so the serving base station together with the ESN se- 
quence. 

In some embodiments, all or part of the RAND se- 
quence used by the mobile unit is also sent to the 
serving base station (together with the ESN se- 
55 quence and the MINI and MIN2 designations), be- 
cause the possibility exists that the RAND value has 
changed by the time the hashed authentication string 
reaches the base station. 



5 



9 EPO 

On the base station side, the serving base sta- 
tion knows the RAND sequence (because the base 
station created it) and it also knows the ESN and the 
MIN2 and MINI designations with which the mobile 
unit identified itself. But, the serving base station 
does not know the SSD field of the mobile unit. What 
it does know is the identity of the mobile unit's home 
CGSA processor (from the MINI and MIN2 designa- 
tions). Consequently, it proceeds with the authenti- 
cation process by sending to the mobile unit's home 
CGSA processor the MINI designation, the ESN se- 
quence, the hashed authentication string that the 
mobile unit created and transmitted, and the RAND 
sequence that the serving base station broadcast 
(and which the mobile unit incorporated in the created 
hashed authentication string). From the mobile unit's 
MINI designation and ESN sequence the home 
CGSA processor knows the mobile unit's identity and, 
hence, the mobile unit's SSD-Asubfield. Therefore it 
can proceed to create an authentication string just as 
the mobile unit did, and apply it to the Jumble process 
(FIG. 6). If the hashed authentication string created 
by the mobile unit's home CGSA processor matches 
the hashed authentication string created in the mo- 
bile unit and supplied by the serving base station, 
then verification is deemed successful. In such a 
case, the home CGSA processor supplies the serving 
base station with the unit's SSD field. As an aside, to 
keep the ESN designation and the SSD field secure, 
the communication between the base stations and 
the CGSA processor is carried in encrypted form. 

In the above-described protocol, the mobile unit's 
CGSA processor attempts to verify the validity of the 
hashed authentication string. When the verification is 
unsuccessful, the CGSA processor informs the serv- 
ing base station that the mobile unit was not authen- 
ticated and may suggest that either the contact with 
the mobile unit be dropped or that the mobile unit be 
directed to retry the registration process. To retry the 
registration process the home CGSA processor can 
either continue participation in the authentication 
process or it can delegate it to the serving base sta- 
tion. In the latter alternative, the serving base station 
informs the home CGSA processor of the ESN se- 
quence and the MINI designation of the mobile unit, 
and the CGSA processor responds with the SSD field 
of the mobile unit and the RANDSSD with which the 
SSD field was created. Authentication, in the sense 
of creating a hashed authentication string and com- 
paring it to the hashed authentication string sent by 
the mobile unit, is then carried out by the serving 
base station. Aretry directive can then be carried out 
without the home CGSA process by the serving sta- 
tion sending the RANDSSD to the mobile unit. This 
"registration" protocol is depicted in FIG. 3. 

Once the mobile unit has been "registered" at the 
serving base station (via the above-described proc- 
ess) the serving base station possesses the ESN and 



2 227A2 10 

the SSD field of the mobile unit, and subsequent au- 
thentication processes in that cell can proceed in the 
serving base station without reference to the home 
CGSA processor -- except one. Whenever, for any 

5 reason, it is desirable to alter the SSD field, commu- 
nication is effectively between the home CGSA proc- 
essor and the mobile unit; and the serving base sta- 
tion acts only as a conduit for this communication. 
That is because creation of a new SSD field requires 

10 an access to the secret A- key, and access to the A- 
key is not granted to anyone by the CGSA processor. 
Accordingly, when a new SSD field is to be created 
and the mobile unit is not in the area of the home 
CGSA, the following occurs: 

15 •the home CGSA processor creates a 

RANDSSD sequence and alters the SSD field 
based on that RANDSSD sequence, 

• the home CGSA processor supplies the serv- 
ing base station with the RANDSSD sequence 

20 and the newly created SSD field, 

• the serving base station directs the mobile unit 
to alter its SSD field and provides the mobile unit 
with the RANDSSD sequence, 

• the mobile unit alters the SSD field and sends 
25 a challenge to the serving base station, 

• the serving base station creates the AUTHBS 
string (described above) and sends it to the mo- 
bile unit, and 

• the mobile unit verifies the AUTHBS string and 
30 informs the serving base station that both the 

mobile unit and the serving base station have the 
same SSD fields. 

Having been registered by the serving base sta- 
tion, the mobile unit can initiate calls with an authen- 

35 tication process as depicted in FIG. 7. The call initia- 
tion sequence concatenates signals RAND, ESN, 
SSD-Aand at least some of the called party's identi- 
fication (phone) number (MIN3 in FIG. 7). The concat- 
enated signals are applied to the Jumble process to 

40 develop a hashed authentication sequence that can 
be verified by the serving base station. Of course, to 
permit verification at the serving base station, the 
called party's identification number must also be 
transmitted in a manner that can be received by the 

45 base station (and, as before, perhaps a portion of the 
RAND signal), i.e., in plaintext. Once the authentica- 
tion sequence is verified, the base station can proc- 
ess the call and make the connection to the called 
party. 

so The protocol for connecting to a mobile unit when 

it is a "called party" follows the registration protocol 
of FIG. 6. That is, the serving base station requests 
the called mobile station to send an authentication 
sequence created from the RAND sequence, ESN 

55 designation, MINI designation and SSD-Asubfield. 
When authentication occurs, a path is set up between 
the base station and the called party mobile unit, for 
the latter to receive data originating from, and send 



6 



11 



EP 0 532 227 A2 



12 



data to, the mobile unit (or stationary unit) that origin- 
ated the call. 

It should be noted that all of the authentications 
described above are effective only (in the sense of 
being verified) with respect to the authenticated 
packets, or strings, themselves. To enhance security 
at other times, three different additional security 
measures can be employed. They are speech encryp- 
tion, occasional re-authentication, and control mes- 
sage encryption. 

Speech Encryption 

The speech signal is encrypted by first convert- 
ing it to digital form. This can be accomplished in any 
number of conventional ways, with or without com- 
pression, and with or without error correction codes. 
The bits of the digital signals are divided into succes- 
sive groups of K bits and each of the groups is en- 
crypted. More specifically, in both the mobile unit and 
the base station the RAND sequence, the ESN and 
MINI designations, and the SSD-B subfield are con- 
catenated and applied to the Jumble process. The 
Jumble process produces 2K bits and those bits are 
divided into groups A and B of K bits each. In the mo- 
bile unit group A is used for encrypting outgoing 
speech, and group B is used for decrypting incoming 
speech. Conversely in the base station, group A is 
used for decrypting incoming speech and group B is 
used for encrypting outgoing speech. FIG. 8 depicts 
the speech encryption and decryption process. 

Re-authentication 

At the base station's pleasure, a re-authentica- 
tion process is initiated to confirm that the mobile unit 
which the base station believes is active, is, in fact, 
the mobile unit that was authorized to be active. This 
is accomplished by the base station requesting the 
mobile unit to send a hashed authentication se- 
quence in accordance with FIG. 9. With each such re- 
quest, the base station sends a special (RANDU) se- 
quence. The mobile unit creates the hashed authen- 
tication sequence by concatenating the RANDU se- 
quence, the area code MIN2 designation of the mo- 
bile unit, the ESN designation, the MINI designation 
and the SSD-A designation. The concatenated string 
is applied to the Jumble process, and the resulting 
hashed authentication string is sent to the base sta- 
tion. The base station, at this point, is in a position to 
verify that the hashed authentication string is valid. 

Control Message Cryptosystem 

The third security measure deals with ensuring 
the privacy of control messages. In the course of an 
established call, various circumstances may arise 
that call for the transmission of control messages. In 



some situations, the control messages can signifi- 
cantly and adversely affect either the mobile station 
that originated the call or the base station. For that 
reason, it is desirable to encipher (reasonably well) 

5 some types of control messages sent while the con- 
versation is in progress. Alternately, selected fields of 
chosen message types may be encrypted. This in- 
cludes "data" control messages such as credit card 
numbers, and call redefining control messages. This 

10 is accomplished with the Control Message Crypto- 
system. 

The Control Message Cryptosystem (CMC) is a 
symmetric key cryptosystem that has the following 
properties: 
15 1) it is relatively secure, 

2) it runs efficiently on an eight-bit computer, and 

3) it is self- inverting. 

The cryptographic key for CMC is an array, 
TBOX[z], of 256 bytes which is derived from a "secret" 
20 (e.g., SSD-B subfield) as follows: 

1. for each z in the range 0 ^ z < 256, set 
TBOX[z]= z, and 

2. apply the array TBOX[z] and the secret (SSD- 
B) to the Jumble process. 

25 This is essentially what is depicted in elements 301, 
302 and 303 in FIG. 8 (except that the number of bits 
in FIG. 8 is 2K rather than 256 bytes). 

Once the key is derived, CMC can be used to en- 
crypt and decrypt control messages. Alternately, the 

30 key can be derived "on the fly" each time the key is 
used. CMC has the capability to encipher variable 
length messages of two or more bytes. CMC's oper- 
ation is self-inverting, or reciprocal. That is, precisely 
the same operations are applied to the ciphertext to 

35 yield plaintext as are applied to plaintext to yield ci- 
phertext. Thus, a two-fold application of the CMC op- 
erations would leave the data unchanged. 

In the description that follows it is assumed that 
for the encryption process (and the decryption proc- 

40 ess) the plaintext (or the ciphertext) resides in a data 
buffer and that CMC operates on the contents of that 
data buffer such that the final contents of the data 
buffer constitute the ciphertext (or plaintext). That 
means that elements 502 and 504 in FIG. 10 can be 

45 one and the same register. 

CMC is comprised of three successive stages, 
each of which alters each byte string in the data buf- 
fer. When the data buffer is d bytes long and each 
byte is designated by b(i), for i in the range 0 ^ i < d: 

so I. The first stage of CMC is as follows: 

1. Initialize a variable z to zero, 

2. For successive integer values of i in the 
range 0 ^ i< d 

a. form a variable q by: q = z© low order 
55 byte of i, where © is the bitwise boolean 

Exclusive- OR operator, 

b. form variable k by: k = TBOXfq], 

c. update b(i) with: b(i)= b(i)+ k mod 256, 



7 



13 



EP 0 532 227 A2 



14 



and 

d. update z with: z= b(i)+ z mod 256. 

II. The second stage of CMC is: 

1 . for all values of i in the range 0 ^ i< (d 

- 1)/2: 

b(i) = b(i)e(b(d-1-i) OR 1 ), where OR is 
the bitwise boolean OR operator. 

III. CMC's final stage is the decryption that is in- 
verse of the first stage: 

1. Initialize a variable z to zero, 

2. For successive integer values of i in the 
range 0^ i< d 

a. form a variable q by: q = z® low order 
byte of i, 

b. form variable k by: k = TBOX[q], 

c. update z with: z= b(i)+ z mod 256, 

d. update b(i) with: b(i)= b(i) - k mod 256. 
The three stage process employed to encrypt and de- 
crypt selected control and data messages is illustrat- 
ed in FIG. 10. In one preferred embodiment the first 
stage and the third stage are an autokey encryption 
and decryption, respectively. An autokey system is a 
time-varying system where the output of the system 
is used to affect the subsequent output of the system. 
For further reference regarding cryptography and au- 
tokey systems, see W. Diffie and M.E. Hellman, Priv- 
acy and Authentication: An Introduction to Cryptog- 
raphy , Proc. of the I.E.E.E., Vol. 67, No. 3, March 
1979. 

Mobile Unit Apparatus 

FIG. 11 presents a block diagram of a mobile unit 
hardware. It comprises a control block 200 which in- 
cludes (though not illustrated) the key pad of a cellular 
telephone, the hand set and the unit's power control 
switch. Control block 200 is connected to processor 
210 which controls the workings of the mobile unit, 
such as converting speech signals to digital represen- 
tation, incorporating error correction codes, encrypt- 
ing the outgoing digital speech signals, decrypting in- 
coming speech signals, forming and encrypting (as 
well as decrypting) various control messages, etc. 
Block 210 is coupled to block 220 which comprises 
the bulk of the circuitry associated with transmission 
and reception of signals. Blocks 200-220 are basically 
conventional blocks, performing the functions that 
are currently performed by commercial mobile tele- 
phone units (though the commercial units do not car- 
ry out encrypting and decrypting). To incorporate the 
authentication and encryption processes disclosed 
herein, the apparatus of FIG. 11 also includes a block 
240 which comprises a number of registers coupled 
to processor 21 0, and a "personality" module 230 that 
is also coupled to processor 21 0. Module 230 may be 
part of the physical structure of a mobile telephone 
unit, or it may be a removable (and pluggable) module 
that is coupled to the mobile telephone unit through 



a socket interface. It may also be coupled to proces- 
sor 210 through an electromagnetic path, or connec- 
tion. In short, module 230 may be, for example, a 
"smart card". 

5 Module 230 comprises a Jumble processor 231 

and a number of registers associated with processor 
231. Alternately, in another preferred embodiment, 
only the A-Key is in the module 230. A number of ad- 
vantages accrue from installing (and maintaining) the 

10 A-key, and the MINI and MIN2 designations in the 
registers of module 230, rather than in the registers 
of block 240. It is also advantageous to store the de- 
veloped SSD field in the registers of module 230. It is 
further advantageous include among the registers of 

15 module 230 any needed working registers for carry- 
ing out the processes of processor 231. By including 
these elements in module 230, the user may carry 
the module on his person to use it with different mo- 
bile units (e.g. "extension" mobile units) and have 

20 none of the sensitive information be stored outside 
the module. Of course, mobile units may be produced 
with module 230 being an integral and permanent 
part of the unit. In such embodiments, Jumble proc- 
essor 231 may be merged within processor 210. 

25 Block 240 stores the unit's ESN designation and the 
various RAND sequences that are received. 

Although the above disclosure is couched in 
terms of subscriber authentication in a cellular tel- 
ephony environment, and that includes personal 

30 communication networks which will serve portable 
wallet sized handsets, it is clear that the principles of 
this invention have applicability in other environ- 
ments where the communication is perceived to be 
not sufficiently secure and where impersonation is a 

35 potential problem. This includes computer networks, 
for example. 



Claims 

40 

1. In an arrangement including a home station, a 
base station and a mobile station, a method for 
authenticating the mobile station prior to the es- 
tablishment of a call between the mobile station 

45 and the base station comprising the steps of: 

the home station and the mobile station 
sharing a key code that is not known to the base 
station while refraining from divulging the key 
code to the base station; 

so the mobile station transmitting to the base 

station the identity of the mobile station and an 
authentication signal constructed with the aid of 
a "shared-secret-datum" signal derived from said 
key code via a transformation of the key code and 

55 additional data; and 

establishing the call between the base sta- 
tion and the mobile station when an evaluation in 
the base station of the authentication signal, per- 



8 



15 



EP 0 532 227 A2 



16 



formed with the aid of a "shared-secret-datum " 
signal in the base station, determines that the 
authentication signal sent by the mobile station 
is valid. 

2. The method of claim 1 wherein the authentica- 
tion signal constructed with the aid of a "shared- 
secret-datum" signal derived from said key code 
is a hashed string of elements. 

3. The method of claim 2 further comprising: 

a registration protocol for providing the 
base station with the "shared-secret-datum" sig- 
nal wherein 

the home station receives from the base 
station the identity of the mobile station and the 
hashed string transmitted to the home station; 

the home station verifies the identity of 
the mobile station, based on the received identity 
of the mobile station and the received hashed 
string; and 

the home station sends the "shared- 
secret-datum" signal to the base station to enable 
it to communicate with the mobile station. 

4. The method of claim 2 further comprising: 

a registration protocol for providing the 
base station with the "shared-secret-datum" sig- 
nal wherein 

the home station sends to the base station 
the "shared-secret-datum " signal; and 

the base station verifies the identity of the 
mobile station, based on the identity indication 
received from the mobile station and the "shared- 
secret-datum" signal received from the home 
base station. 



8. The method of claim 8 wherein said step of regen- 
erating utilizes the key code. 

9. The method of claim 8 further comprising the 
5 steps of: 

the mobile station creating a challenge 
string, and sending the challenge string to the 
base station; 

the base station creating a response to 
10 the challenge string and sending the response to 

the mobile station; and 

the mobile station comparing the re- 
sponse to that of an expected response. 

15 10. The method of claim 10 further comprising the 
step of sending to the base station an indication 
of a result of the step of comparing. 

11. The method of claim 8 further comprising the 
20 steps of: 

the mobile base station creating a hashed 
string that is related to the regenerated "shared- 
secret-datum" signal, and sending the hashed 
string to the base station. 

25 



30 



35 



5. The method of claim 5 further comprising the 
step of the base station sending to the home sta- 
tion an indication of results obtained in the step 40 
of verifying. 



6. The method of claim 2 further comprising the 
step of the home station sending to the base sta- 
tion seed information that permits the mobile sta- 45 
tion to regenerate its copy of the "shared-secret- 
datum". 



7. The method of claim 2 further comprising the 

steps of: so 

the base station sending to the mobile sta- 
tion a string of bits and a directive to regenerate 
its copy of the "shared-secret-datum" signal, and 

the mobile station regenerating its copy of 
the "shared-secret-datum" signal with the aid of 55 
the string of bits to form a regenerated ""shared - 
secret-datum"" signal. 



9 



EP 0 532 227 A2 



FIG. 1 




BS 



PROVIDER 3 
36 



22 



21 



35 




SU 



su 



BS 




10 



SW 

COMMON 
CARRIER 

n 



12 



13. 



SW 

COMMON 
CARRIER 

n 



SW 

COMMON 
CARRIER. 
I 



A 



30 



SW 

COMMON 
CARRIER 

n 



14 



SW 

COMMON 
CARRIER 



11 



/bV 37 



PROVIDER 4 



'BS X 




10 



EP 0 532 227 A2 



FIG. 2 



MOBILE UNIT 



RANDSSD 
ESN A-KEY 

i_Li 



JUMBLE 



SSD-B NEW 



101 



HOME CGSA 



A-KEY 



ESN 



100 



UPDATE ORDER 
(RANDSSD) 



RANDSSD 



i_L_l 



JUMBLE 



SSD-A_NEW 
^102 



RANDBS 



SSD-A NEW 




BASE STATION 
CHALLENGE ORDER 
(RANDBS) 



JUMBLE 



AUTH 
BASE STATION 



104 



AUTHBS = AUTHBS ? 




SSD-B NEW 



JUMBLE 



BASE STATION 
CHALLENGE CONFIRMATION 
(AUTHBS) 



SSD UPDATE CONFIRMATION 
(SUCCESS /FAILURE) 



11 



EP 0 532 227 A2 



FIG. 3 



MOBILE UNIT 



RANDSSD 



ESN 



A-KEY 



L_L_L 



JUMBLE 



SSD-B NEW 



-10< 



SSD-A_NEW( 



102 



RANDBS 



JUMBLE 



AUTHi 
BASE STATION 

„ 104 



AUTHBS = AUTHBS ? 



SSD UPDATE CONFIRMATION 
(SUCCESS /FAILURE) 



VISITED CGSA 



UPDATE ORDER 
(RANDSSD) 



100 



— ^SD 

BASE STATION 
CHALLENGE 
ORDER 
(RANDBS) 




JUMBLE 
(VISITED STATION) 



BASE STATION 
CHALLENGE 
CONFIRMATION 
(AUTHBS) 



HOME CGSA 



A-KEY 



ESN 



RANDSSD 



JUMBLE 
{VISITED STATION) 



-A NEW 



SSD-B NEW 



12 



EP 0 532 227 A2 



FIG. 4 



RANDS SD 



ESN 



A-KEY 



JUMBLE 




FIG. 5 



RANDBS 


ESN 


MINI 


SSD-A-NEW 



JUMBLE 



AUTHBS 



13 



EP 0 532 227 A2 



FIG. 6 



RAND 


ESN 


MINI 


SSD-A 



JUMBLE 



AUTHR 



FIG. 7 



RAND 


MIN3 


ESN 


MINI 


SSD-A 



JUMBLE 

X 

AUTH 



14 



EP 0 532 227 A2 



FIG. 8 



301 



SSD-A 



2k 

1 ^-302 



JUMBLE 





1 


. / 







1 



MOBILE UNIT 
SPEECH 



k+1 



ENCRYPT 



303 



2k 



DECRYPT 



BASE STATION 
SPEECH 



FIG. 9 



RANDU 


MIN2 


ESN 


MINI 


SSD-A 



JUMBLE 



AUTHU 



15 



EP 0 532 227 A2 



FIG. 10 



CONTROL MESSAGE CRYPOTSYSTEM 

502 



INPUT 



CMC 



FIRST STAGE 



503 



KEY 



505 



ENCRYPTION 
PROCESS 



SECOND STAGE 



507 



SELF-INVERTING 
TRANSFORMATION 



THIRD STAGE 
^503 



KEY 



511 



DECRYPTION 
PROCESS 



OUTPUT 



504 



500 

1 



501 

1 



509 

1 



513 

1 



FIG. 11 



V 



.220 



TRANS /REC 
ELECTRONICS 



240 



REG 



210 



PROCESSOR 



200 



CONTROL 



230 



2311 



JUMBLE 



2321 



REG 



16 



